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Abstract: In this paper, we present a probabihstic adaptation of an As- 
sume/Guarantee contract formahsm. For the sake of generaUty, we assume 
that the extended state machines used in the contracts and implementations 
define sets of runs on a given set of variables, that compose by intersection over 
the common variables. In order to enable probabilistic reasoning, we consider 
that the contracts dictate how certain input variables will behave, being either 
non-deterministic, or probabilistic; the introduction of probabilistic variables 
leading us to tune the notions of implementation, refinement and composition. 
As shown in the report, this probabilistic adaptation of the Assume/ Guarantee 
contract theory preserves compositionality and therefore allows modular relia- 
bility analysis, either with a top-down or a bottom-up approach. 

Key-words: Assume/Guarantee Reasoning, Contracts, Probabilistic reason- 
ing. Reliability analysis. 
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Un modele de raisonnement probabiliste base 
sur les contrats Assume/Guarantee 

Resume : Cc document presents une adaptation probabiliste d'un forma- 
lisme de contrats Assume/Guarantee. On supposera, dans le but d'etre le plus 
general possible, que les machines tats tendues utilisees pour les contrats et 
implementations dcfinissent des ensembles d'histoires sur un ensemble de va- 
riables donn, et qu'elles se composent par intersection sur les variables com- 
munes. Pour permettre un raisonnement probabiliste, on considere que les 
contrats precisent le comportement des variables d'entrees, non-deterministes 
ou probabilistes. Le fait de considerer des entrees probabilistes necessite une 
adaptation des notions d'implcmentation, composition et raffinement. Ce rap- 
port montre que cette adaptation probabiliste de la theorie des contrats ^45- 
sumey Guarantee preserve la compositionalite, et permet de ce fait une analyse 
de fiabilitc modulaire, que ce soit par une approche ascendante ou descendante. 

Mots-cles : Raisonnement Assume/Guarantee, Contrats, Raisonnement 
probabiliste, Analyse de fiabilite. 
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1 Introduction 

Several industrial sectors involving complex embedded systems have recently ex- 
perienced deep changes in their organization, aerospace and automotive being 
the most prominent examples. In the past, they were organized around ver- 
tically integrated companies, supporting in-house design activities. These sec- 
tors have now evolved into more specialized, horizontally structured companies: 
equipment suppliers and OEMs. OEMs perform system design and integration 
by importing/reusing entire subsystems provided by equipment suppliers. As a 
consequence, part of the design load has been moved from OEMs to suppliers. 
An inconvenient of this change is the increased occurrence of late error discovery, 
system level design errors uncovered at integration time. This is particularly 
true for system reliability, for state of the art reliability analysis techniques are 
not modular [HRMllSlM] . 

A corrective action, taken in the last decade is that the OEMs now focus 
on the part of the system design at the core of their business, and as far as 
possible, rely on industry-wide standard platforms. This has an impact on 
design methods and modeling formalisms: Virtual prototyping, design space 
exploration are required early in the design cycle. Component based design has 
emerged as the most promising technique to address the challenges resulting 
from this new organization of the industry. 

However, little has been done regarding the capture of reliability require- 
ments, their formalization in behavioural models and the verification techniques 
capable of analyzing in a modular way the reliability aspects of a system, at an 
early stage of design. The paper contributes to solve these issues: The seman- 
tics foundations presented in this paper consists in a mathematical formalism 
designed to support a component based design methodology and to offer mod- 
ular and scalable reliability analysis techniques. At its basis, the mathematical 
formalism is a language theoretic abstraction of systems behaviour. This ba- 
sic formalism can be instantiated to cover several aspects, including functional, 
timeliness, hybrid and reliability |BCP07| . This report presents the reliability 
aspect. 

The central concept of the formalism is the notion of contract, built on top 
of a basic behavioural formalism. Contracts allow to distinguish hypotheses on 
a component from hypotheses made on its environment. Contracts are central 
to component based design methodologies. 

This paper focuses on developing a compositional theory of probabilistic 
contracts, capable of capturing reliability aspects of components and systems. 
The key contributions arc the definition of probabilistic satisfaction, composition 
and refinement relations that ensure that they will be compositional. 

The paper is organized as follows: In the first section wc present the As- 
sume/Guarantee formalism upon which we built our probabilistic theory. In the 
second section we formally define the probabilistic Assume/Guarantee theory 
we developed and we prove that it is compositional. In a third section we com- 
pare our work to classical related formalisms like pCTL and pCTL* |ASBSV95l 
IHJ89j . or developed more recently, such as Dynamic Fault Trees |BCS07j and 
Arcade |BCH+08j . 
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2 Classical Assume/Guarantee Reasoning 

The model we have built is based upon the notion of components and As- 
sume/Guarantee reasoning. In this section, we will define the background upon 
which the report is based. In a first subsection we will give the definitions we 
used for contracts and implementations. Then we will present the basic opera- 
tions already existing on contracts and the main theorems we want to preserve 
in our probabilistic adaptation. 

2.1 Contracts and Implementations 

In order to define contracts and implementations, we need to consider the ab- 
stract notion of "assertion" . 

Definition 1 An assertion E = S :: a possesses a set of ports and variables 
( its signature, a ) through which it interacts with its environment. S is identified 
with the set of runs it defines or accepts, each run assigning a history for each 
variable and port. If necessary, the inverse projection of E = S :: a on a' 3 u 
will be denoted by E . 

We assume that there exists a complementation operator for an assertion E, 
relative to its signature a. It is denoted by ^E. Assertions compose by inter- 
section over the common sets of ports and variables (assuming the appropriate 
inverse projections have been performed to equalize the involved signatures). 
We will denote products either by Ei x E2 or Ei n E2 equivalently. 

Eix E2=EinE2 = Si r nS'2 T":: cr, with cr = crl supcr2 

With these notations and definitions, we will be able to define implementa- 
tions and contracts. 

Definition 2 An implementation is an assertion, i.e. a set of runs with a given 
.signature. 

We will use the symbol M ~ Sm ■'■ o'ai to refer to implementations. They 
are ordered by inclusion over the runs they contain (one more time assuming 
that the appropriate inverse projections have been performed). We will say 
that an implementation M refines an implementation M' with respect to the 
signature cr, written M M' , if and only if Sm Sm', i.e. Sm Sm' V- 

Composition preserves implementation refinement. 

Definition 3 A contract C a is a pair of assertions (A :: aA-,G :: (Tg) with 

• A is the assumption; 

• G is the guarantee, i.e. the promised behavior, under the hypothesis that 
A holds. 

Note that for a contract C :: a = {A :: <7a,G :: <jg)i we can consider the 
equivalent contract C' :: a = {A f"':: ct, G a). Whenever convenient, we 
will thus suppose that both assertions of a contract C have the same signature 
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and wc will denote respectively the assumption, the guarantee and the common 
signature of C by Ac , Gc and ac ■ 

The following definition of satisfaction will precise the interpretation we 
make of a contract. 

Definition 4 An implementation M satisfies a contract C :: ac — (^CiGc) 
( written M \^ C) if and only if 

M n Ac C'^c 

Satisfaction can be checked using equivalent formulas: 

A/ h C* ^ M C Gc U -^Ac M D {Ac n -Gc) = 

From these equivalent definitions, we can show that there exists a unique 
maximal implementation Ale satisfying a contract C: 

Mc = (GcU-^c) ■■■■crc 

This maximal implementation is to be interpreted as the implication A =i' G. 
We can prove that an implementation Af satisfies contract G = {Ac,Gc) if 
and only if it satisfies the equivalent contract (Ac-,Mc), and if and only if 
M Mc- We will say that a contract C :: a = {A :: (ta,G :: ctg) is in 
canonical form when G = Mc, or equivalently when -lA C G or G C -nA, 
and (7 = ffA ~ <^G- As the canonical form of a contract is unique and the 
satisfaction of the contract equivalent to the satisfaction of its canonical form, 
we will consider only contracts in canonical form in the rest of this document. 

2.2 Operations on Contracts 

The notion of composition of contracts formalizes how contracts attached to 
different components of a system should be combined in order to represent one 
single component. If G\ :: a\ = (Ai,Gi) and G2 :: ai = (^2,^2) are two con- 
tracts defined as in the previous section, their composition should respect some 
rules. First, their promises should be composed, as we want to guarantee that 
both Gi and G2 must be respected. Remember that composition is the intersec- 
tion of the two assertions, after computing the appropriate inverse projections 
in order to equalize the sets of variables and ports. 

Regarding the assumptions, we also want to assume that both Ai and A2 are 
respected, but we must consider the case when the second contract guarantees 
that part of the assumption of the first one is respected and vice-versa. A run 
satisfying the assumption of the composition should consequently either satisfy 
both Ai and A2 or be made unacceptable by the composition of the guarantees. 
Thus the following definition: 

Definition 5 Let Gi :: cti = (^i, Gi) and C2 ■■ cr^ = {A2, G2) be contracts, we 
define Gi j| G2 to be the contract C :: a = {A,G) such that: 

• cr = (Ti U CT2; 

» A={Ai r r\A2 r) u -(Gi r nG2 T"); 

• G = Gi nG2 T"- 
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Remark that the so defined contract is in canonical form. 
With the above definition, we can prove that the composition preserves the 
implementation relation. 

Lemma 1 If Mi h Ci and M2 \= C2 then Mi x M^ h C^i II (^2 • 
Proof : 

As the two contracts are supposed in canonical form, we have Mi C'^» d. Thus 
Ml X M2 C'^iua^ n G2, and Mi x M2 h C"! n C2. 

□ 

Next, we will need to build a refinement relation. Intuitively, this relation 
must be compatible with the composition operation and the implementation 
relation. We will thus say that a contract C refines another contract C" if it 
assumes less and guarantees more: 

Definition 6 The contract C :: a ~ iA,G) refines the contract C :: a' = 
{A', G'), written C < C , if and only if a C a', A D'^' A' and G C'^' G' . 

We can now prove the following properties (the proof is quite straightforward 
and left to the reader): 

Lemma 2 If M is an implementation, Ci, C2, C3 and C4 four contracts, 

1. IfM h= Ci and Ci<C2, then Af ^ C2. 

2. IfCi < C2 and C3 ^ C4 then Ci \\ C3 =< C2 1| C4. 

3 Extension to Probabilistic Approach 

In this section we will adapt the definitions presented above in order to be able 
to express probabilistic properties, like reliability, while preserving composition- 
ality. 

What we want to express is the affirmation "This particular implementa- 
tion M satisfies the given contract C with level a", meaning that given the 
information of the contract C, we can prove that the (probabilistic) measure 
of the runs of M that do not satisfy the contract G (i.e. that are within the 
assumptions but outside of the guarantees) is not above 1 — a. More precisely, 
we still want to consider non-probabilistic assertions, but we want to be able 
to express that the environment may induce randomness in our assertions. We 
must therefore precise which of the variables/ports associated to the contract 
are controlled (internal variables for instance) or uncontrolled (controlled by 
the environment). We can then choose a subset of the uncontrolled ports to 
be subject to probability distributions. There will then remain a subset of the 
uncontrolled ports that we will consider non-deterministic. As a consequence, 
the signature of each assertion will be divided into two disjoint sets of ports, 
controlled or uncontrolled cr = u 1+) c (note that for a contract, there will only 
be one such signature). 
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3.1 Probabilistic Contracts, Implementations and Satis- 
faction 

Definition 7 A probabilistic contract is a tuple C = (C, p, P) with 

• C = (u, c, A, G) a non-probabilistic contract; 

• p C u a set of uncontrolled ports; 

• Pa probability distribution over the set of all histories of p. 

Note that the probabihty distribution is attached to the contract itself and 
not to the implementation. We can therefore give our contract to a supplier 
saying "Knowing that the histories of the ports of p will follow this distribution, 
can you build an implementation ensuring that 90% of the runs will satisfy the 
contract?". Let's now formally define this probabilistic satisfaction relation: 

Definition 8 An implementation M satisfies probabilistic contract C ~ (C, p,P) 
with level (3 (written M C) iff U-m ^ uc,cm = and 

M{M QGc)>(i 

N.B.: We still consider that C is in canonical form. 

The predicate M C Gc is a reference to the set of all histories of the ports in 
p that ensure the induced behaviors of the implementation M (i.e. the inverse 
projection on the set of runs of M) is included in the guaranteed behaviors, 
whatever other non-deterministic choices have been made. Formally: If lo is one 
possible history of the ports in p, we call Vl the set of all such histories, 

M{M c Gc) = P({t^ e 17 I {w} n A/ c'^'^ Gc}) 

This means that we measure the set of histories of p that ensure that the runs 
of M will be included in the guaranteed behavior, whatever non-deterministic 
choices are. Finally, M C means that the probability that M 1= C w.r.t. 
the distribution of histories on the probabilistic ports is higher than (5, whatever 
non-deterministic choices are. 

3.2 Probabilistic Composition 

The probabilistic point of view makes it more complicated to compose contracts. 
As the distributions on the probabilistic ports are linked to the contracts, what 
we absolutely do not want is to compose two contracts whose probabilistic ports 
overlap. Moreover we also want to avoid the case where a probabilistic port for 
the first contract is controlled by the second one (i.e. the first considers an 
input port as probabilistic, but this port is an output of the second). In order 
to keep a quite simple definition, and because we think this is not too major a 
restriction, we will only define the composition of two contracts when they have 
compatible sets of controlled/uncontrolled ports (i.e. Ci n C2 = 0). Thus the 
following definition: 

Definition 9 // Ci and C2 are 2 probabilistic contracts, their parallel composi- 
tion Ci \\ C2 is defined if and only if 
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1. Ci II C2 is defined (i.e. Ci n C2 = 0J; 

2. pi and p2 are disjoint sets 0/ uncontrolled ports in Ci \\ C2 (i.e. ports 
that are neither controlled by Ci or 02). 

Then we have 

[ C = Ci\\C2 
Ci II C2 = (C, p, P) with I p = pi W p2 

y p = Pi X P2 

The above definition makes it impossible to compose two contracts whose 
probabiUstic and controlled ports overlap. This could be seen as a major re- 
striction but there is a way to make such contracts compatible. Consider two 
probabilistic contracts Ci and C2, and suppose that the port x is controlled 
by Ci, but considered as probabilistic by C2. If we want to compose Ci and 
C2, we have to make the port x non-probabilistic in C2. Thus we consider the 
contracts C'2 = (C2,P2 \ {a;},P2) and Cx = (Cx, {a;p},Pf). F'2 is the restriction 
of P2 without X, Pf is the probability distribution considering only x, and Cx 
is a non-probabilistic contract we will call a wrapper, with three uncontrolled 
ports {xp, Xc and s) and one controlled port x. This wrapper selects with a 
non-deterministic port s G {p, c} the value that will be given to x between the 
probabilistic one and the one given by Ci. Composing €'2 with Cx thus enables 
us to compose it with Ci (renaming x to Xc). This is illustrated in FiglU where 
thick triangles denote probabilistic ports. The wrong version is on the top and 
the correct wrapped one is on the bottom. 





X 






► 




Ci 




C2 




Figure 1: Illustrating the wrapper mechanism 

We now prove that the composition is compatible with the satisfaction re- 
lation. The proof of this theorem relies on the fact that the probabilistic ports 
of contracts Ci and C2 arc disjoint. 

Theorem 1 IfCi andC2 are 2 probabilistic contracts that can be composed, Mi 
and M2 2 implementations such that Mi Ci for i = 1, 2 then 



Ml X M2 h/3i-,32 Ci II C: 



2- 
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Proof : 

The intuition behind this proof is to show that separate histories on the ports 
Pi and p2, each ensuring that its particular implementation behaves correctly, 
also ensure that the composition of the implementations will behave correctly. 
In short, the product of two correct histories is correct w.r.t. the composition 
of the contracts and implementations. This will be true because every "correct" 
history satisfies the corresponding contract whatever non-deterministic choices 
arc. 

Let's consider histories wi and W2, respectively on the sets pi and p2, such 
that Mi n {wi\ C"' Gi. 

As we said before, composition is by intersection over the common ports and 
variables. We therefore begin with the inverse projection over the set of variables 
we want to consider, and then intersect the runs. 

It is clear that Vw, {w} H Mi n M2 C"^ {w} n Mi , with tr = cti U (T2 ( assuming 
the inverse projections are correctly done on both sides). Moreover, {wi XW2}C\'^ 
Mi C"' {wj} Mi, whatever i or j. As a consequence: 

{wi X W2} nAfi n A/2 c'^ {wi X W2} n Mi 
c'^ {wi}r]Mi (z" Gi 

{wi X W2} nAfi n Af2 {wi X W2} n Af2 
{w2}r\M2 G2 

=4> {wi X 'u;2} n Ml n A/2 c*^ Gi n G2 

As a consequence, {wi} H A/,; C"'* G,; implies that 

{wi X W2} n Ml n A/2 C'"iu^2 p 

And finally 

f{{w I {w} n Ml n A/2 c^iU'^^ Gi n G2}) > /3i • /32 

Thus P(A/i n A/2 C Ci II C2) >Pi-P2- 

□ 

Note that we cannot find a better bound that Pi- (32, because if the contracts 
are independent (cri n cr2 = 0) , we clearly have 

X((A/i X A/2) C-iu.. (Gci nGcJ) = M{Mi C-i GcJ • M{M2 C'^^ GcJ 
3.3 Probabilistic Refinement 

As we want the probabilistic refinement relation to be compatible with com- 
position and satisfaction (and with the non-probabilistic relation), there is not 
much liberty in the way we can define it. Let's say that a contract Ci refines a 
contract G2 (written Ci C2). In order to be compatible with the composition, 
the probabilistic ports of Ci must be a subset of those of C2, and the distribution 
on these ports must be the same for Ci and C2. Moreover we want this relation 
to be compatible with implementation, which means that if an implementation 
satisfies Ci with level a, it must satisfy C2 with a level /3 that can be computed 
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from a. The idea for this is to measure the inclusion of the guarantees of Ci in 
the guarantees of C2 , and to use this measure in order to compute /3. 

Definition 10 If Ci = (Ci,pi,Pi) and C2 = (C2,P2,]P2) are two probabilistic 
contracts, we say that Ci refines C2 with level 7 (Ci C2) if and only if 

1. (Ji C 0-2,' 

2. pi C P2 and Pi is the marginal of ¥2 over pi; 

3. P2({ti^} G'2|{ij;} > ^ whatever non- deterministic choices are. 

7 is a measure of the inclusion of Gi in G2 , 7 = 1 meaning that Gi C G2 
almost all the time. 

As the definition for the refinement relation was built to be compatible with 
implementation, it is quite logical to prove the following theorem, which says 
that if an implementation satisfies a probabilistic contract with level (3, and 
if this contracts refines a second one with level 7, then the implementation 
satisfies the second contract with level j3 ■ 7. This should enable us to use 
simpler contracts in order to prove satisfaction. 

Theorem 2 If Ci = (Gi,pi,Pi) and C2 ~ (G2,P2,P2) are 2 probabilistic con- 
tracts and M an implementation, then 

M \=f3 Ci and Ci C2 M |=/3.'y €2- 

Proof : 

Because of the definition of the probabilistic refinement, this result is quite clear: 
P2(Af h C2) = ¥2{{w I {w} n M C-^ G2}) 

And 

P2({w I {w} nM C<^2 G2}) > 
^2{{w I {w} n M Gi}) • P2({w} c-^^ G2 \ {w} C-^^ 

And as Pi is the marginal of ¥2 over pi, 

P2(A/hC2)>/3-7 

□ 

Once again, we cannot find a finer bound because if G2 C'^^ q^^ have 
P2(Af hC2) =/3•7■ 
3.4 Problems with finer satisfaction relations 

The satisfaction relation we chose above is adapted to reliability analysis. It 
measures the runs of the implementations that have the right behaviour whatever 
non- deterministic choices are. Consequently one could wonder whether it would 
be of interest to try finer satisfaction relations, for example existential or even 
finer, checking every state the system goes through. 

These finer relations have been studied and ruled out of our work because 
they cannot be compositional for the following reasons: 
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Figure 2: Global System 



• An existential relation would allow us to say that "in 90% of the runs, 
there exist a way in which the environment can force our implementation 
to stay within the bounds of the guarantees" . This would be contrary to 
the principle of re-use, where we want to be sure that whatever the user 
asks of the component, it behaves safely. 

• An even finer satisfaction relation that would check every state the system 
goes through would be quite convenient in order to express disponibility 
properties. This kind of satisfaction relation would ponderate each infinite 
history of the probabilistic ports with the "amount" of visited states that 
ensure the guarantees. This would mean, for example, that for a particular 
history on the probabilistic ports, the induced behavior will stay within 
the guarantees with a probability at least a, whatever non-deterministic 
choices are. But knowing this probability is not enough to ensure com- 
positionality, because if we compose two contracts, the induced behaviour 
for a fixed history of the probabilistic ports must satisfy both contracts at 
the same time. 



3.5 Example 

Let's assume we want to build a system with 2 input ports a and b, 1 output 
port y. We want this system to avoid a state where y is true and a is false. We 
know there are possibly different sources of failure /i , /2 and /a but we suppose 
for the moment that will never happen. We decide to split the system into 
2 subsystems (Fig. [2]). We will ask a first supplier to build the first subsystem 
as a component satisfying a contract Ci, and to a second supplier, we give a 
contract C2. 

The first supplier will then provide us with an implementation Afi sat- 



isfying Ci with a level a (Fig. 3(a)), and the second will give us an im 



plementation A/2 satisfying C2 with a level P (Fig. 3(b)). Once we have 
these components, we know that their composition will satisfy the contract 
C — Ci \\ C2 ~ (never(/3), never(/3) => never (-la Ay)), with a level a-/3 (Fig.H]). 

Now consider the case when we discover that may in fact happen. The 
contract C is not realistic anymore, as it supposes that /s never happens. In 
consequence, wc want to know how our components will satisfy a contract C = 
(T, never(-ia A y)). Instead of trying to find a new decomposition into different 
subcontracts, we just have to compute the level of refinement 7 such that C 
C". We will then know that Mi \\ M2 Ha/37 ^' ■ This probability 7 may be 
written as follows: 
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Ci = (never(/3),never(/3) ^ never((/))) 
with (j) ~ A X 

Ml ha Ci 



C2 = (T,always(y = x)) 
with (j> = A X 
M2 h,3 C2 



2; = (a V /i V /a) A 6 



/i 



/3 



a = P(never(/i)) 

(a) Ah 



P = P(never(/2)) 

(b) A/2 



a 


y — if then /2 else x 


y 3 






X 






/2 





Figure 3: Subcomponents 

C = Ci II C2 = (never(/3),never(/3) ^ never(-.a A y)) 
Ml II M2 ha-/3 C- 



(q V /i V /a) A fc 



y — if then /2 else a; 



Figure 4: Composition of the implementations 



7 = P(never(-ia A ii/)|never(/3) never(-ia A y)) 



4 Related work 

The problem of reliability analysis is widely present in the literature. Several 
attempts have been presented in the domain of probabilistic model checking in 
order to express probabilistic properties and check whether a particular system 
satisfies them. pCTL and pCTL*, for example, can be used to specify prop- 
erties such as reliability and performance |HJ89[ lASBSVQS] . There even exist 
extensions of pCTL and pCTL* in which the probabilistic behaviour coexist 
with non-determinism |BdA95| . However, in these formalisms, the probabilistic 
point of view is inherent to the system checked. Consequently, compositionality 
is not an issue for them. Our formalism, on the contrary, considers probabili- 
ties as an assumption on the environment. In this way, we only consider open 
systems for which probabilities and non-determinism comes from the environ- 
ment. In this way, compositionality can be proved and used in order to obtain 
a modular analysis. 

On the other hand, compositional reliability analysis tools and formalisms 
have already been developed in the literature, such as Arcade [BCH+OS] or 
Dynamic Fault Trees |BCS07| for example. These formalisms present compo- 
sitional reliability analysis as it is actually done in the industry, that is to say 
without any behavioural interpretation. Our approach is different. We want 
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to be able to reason on the behaviours of components, and not only on their 
failure probability. Of course our formalism captures such classical analysis, 
but it allows much more because the satisfaction relation is strongly linked to 
the behaviour of the implementations. Moreover, as our formalism allows as- 
sumptions on the environment, it can capture situations where two separate 
implementations do not satisfy their respective contracts, but their composition 
satisfies the composition of the contracts because of the assumptions on the 
environment, which would not be possible with a classical reliability analysis. 

Finally, the probabilistic refinement relation we have built does not have an 
equivalent in the classical reliability analysis. It allows to compute the prob- 
abilistic satisfaction of a contract while only considering information on the 
probabilistic satisfaction of another contract and on the relations between these 
contracts. 

5 Conclusion and further work 

In this paper, we have presented a compositional theory of probabilistic con- 
tracts, capable of capturing reliability aspects of components and systems. This 
theory enables a behavioural interpretation of reliability, which was not the case 
in the existing compositional formalisms. 

There are several natural directions to continue this work. 

First, what we present here is a very general theory with few direct applica- 
tions. Computing the satisfaction and refinement probabilities efficiently would 
require to narrow the field of applications. In practice, assertions and machines 
will be deterministic open transition systems and never sets of run. We are 
actually developing a more practical approach where contracts are Markov De- 
cision Processes and implementations open transition systems. In this approach, 
computing the satisfaction and refinement probabilities relies on the existence 
of pure optimal strategies in mean-payoff Markov Decision Processes jGimOTj . 

Finally, the same kind of probabilistic point of view could be adapted to 
contracts residuation |Rac08| , which would give a practical way to build (canon- 
ical?) implementations from the residuation of the guarantees of a contract by 
its assumptions. 
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